LWA Mobile SDK Overview

To access the Dash Replenishment Service (DRS), your DRS-enabled product needs to obtain a Login with Amazon access token, which will be sent up with each request. This document explains how to obtain an access token using the Login with Amazon SDK for Android or iOS.

Prerequisites

Before you integrate the LWA SDK into your companion app, your product must be able generate a code verifier and create a code challenge. These values along with the code challenge method are used by LWA to validate requests from your product before tokens are exchanged. The LWA implementation of symmetric proof of possession is based on Proof Key for Code Exchange by OAuth Public Clients

Code Verifier

A code verifier is a cryptographically random string generated by your product, which is hashed (SHA256) and handed off to your companion app. The string should be between 43 and 128 characters long and composed of characters from the URL and filename-safe alphabet ([A-Z], [a-z], [0-9], "-", "_ ", ".", "~").

The code verifier is sensitive data and should never be transferred from your product.

Code Challenge

Your client/product is expected to create a code challenge derived from the code verifier using one of the following transformations of the code verifier, however, SHA-256 is recommended:

plain
code challenge = code verifier

Note: The plain transformation is for compatibility with existing deployments and for constrained environments that can't use the S256 transformation.

S256
A Base64url encoding of your code verifier's SHA256 hashed bytes. The Base64url encoded string should not contain the following characters: "=", "+", or "/". Example how to generate CodeChallenge in Java: